Tue, 7 Jun 2011

The text that follows is a short statement I prepared for the press ahead of my presentation at the 'The International Conference on Cyber Conflict' (http://www.ccdcoe.org/ICCC/) in Tallinn, Estonia. It felt like I had very mixed response, so I'd be interested to hear what others think…

My background and context

Any opinion can only be understood if you also understand its context. Therefore, in order to understand the thinking that follows, you also have to understand my perspective. Three aspects of my context effect my thinking here:

My business is Attack and Penetration testing. I have little insight or experience beyond that narrow field and therefore my view will be skewed by my professional experiences.

Our business is primarily based in South Africa. Hence much of my perspective is formed by making my living in a developing country.

I am no expert on international policy. Hence my hope is that my views can help to inform policy. I'm not attempting to dictate policy in any way.

It should be noted that these are the perspectives I was asked to bring to the event.

In the piece that follows I will make 5 basic hypothesis, namely:

Information warfare is real

Information warfare is asymmetrical

Countries like South Africa can't defend themselves

Neither can other countries

This reality must surely impact cyber policies world-wide

Information warfare is real

My first point is that 'information warfare' or 'cyber warfare' (by some definition) is real and is happening already today. Certainly, even if we are not seeing actual 'battles' being fought, the so-called 'military digital complex' described by Dr Dan Geer exists and is busy accumulating skills, technology and cyber territory as we speak. If the general public was not aware of this already, then this fact became blatantly clear from the email correspondence of information security firms 'HBGary', 'Palantir' and 'Endgame Solutions', which recently got publicly released after HBGary's systems were allegedly breached by the hacker collective known as 'Anonymous'.

Information warfare is asymmetrical

My next point is that information warfare is asymmetrical, with the cards stacked massively in favor of the attacker. Those of us doing so-called 'red team' work have always argued that the defender has to be successful all of the time, while the attacker only has to be successful once, which suggests that a successful compromise of any given target is always just a matter of time and money.

This fact is graphically illustrated by the apparent success of the Stuxnet attack against the the Iranian nuclear enrichment program at Natanz. By all accounts Stuxnet was a devastatingly successful attack launched by one nation or group of nations against key national infrastructure of another nation. It bypassed all reasonable security controls and could easily have been more destructive, potentially even causing loss of life. All that at the measly price of between $ 500,000 and $ 2 million - apparently less than what the US airforce currently spends in a day.

When it comes to securing an entire country against a well-funded and well-equipped adversary this is even more true, because governments have a dependency on systems and infrastructure for banking, administration, utilities, industry and communications that they do not control. Security in many of these industries is still very poor and, even if governments did apply themselves to improving security as a matter of national policy, I would argue that it may already be too late and that many systems are already compromised by malicious software, some of which will be too sophisticated to detect and remove on the scale required.

A simple analogy for what I'm saying here can be seen in the recent Wikileaks saga. We tend to think of the Wikileaks saga in terms of Julian Assange and the 'leak', but really what we should be considering is the fact that over 500 thousand people apparently had access to the so-called 'secret' documents that Assange ultimately released to the world. Its a problem of scope: How can a government hope to protect something that is being accessed by half a million people, and how can we begin to believe that, with that level of exposure, the security of SIPRNET hadn't already been breached multiple times before?

Now you can see why information warfare is asymmetrical and why it is almost impossible for an entire country to defend itself. This is the core element of my hypothesis this week.

Countries like South Africa can't hope to defend themselves

If its true that information warfare is real, and that its asymmetrical as I've argued, then where does that leave countries like my home, South Africa? South Africa is a typical developing country: Situated at the very tip of Africa, the country is a greedy adopter of new technologies like mobile telephony, nuclear power, e-government and online banking that support growth and upliftment of our people, but plagued by HIV/AIDS, crime, high unemployment and poor systems of education, we don't have the skills or financial resources to invest in the kind of security we would need to even begin to defend ourselves. South Africa is "connected", but not "protected".

If my government were to approach me and ask: "How can we defend ourselves in this new realm of cyber warfare?" I would have to answer: "We can't". So what option is left to South Africa? Either we can ignore the problem and hope it goes away, or possibly we can develop our own offensive capability to act as a deterrent to would-be attackers. I'm not sure whether this strategy would work, but I do believe that it would at least be feasible to implement, which a defensive strategy is ultimately not. If you accept our previous assertion that a capability like Stuxnet could be developed for just a few million dollars, then even South Africa could afford to get in on the cyber warfare game and potentially strike a few retaliatory blows against its enemies or would-be enemies and thereby maintain a kind of uncomfortable peace. Rather than developing such a capability, we could acquire one commercially, or possibly join a treaty to obtain one, but it strikes me as basically the same thing.

But neither can other countries

But here's the twist: What's true for small, developing countries like South Africa is actually also true for all countries. The size of your country does not fundamentally alter the asymmetry of the equation: The attacker still has the advantage. One could even argue that the bigger your country, and the more connected your systems are, the more vulnerable you are to attack. If this argument is true, that means almost all countries will be presented with the same lack of strategic options for cyber warfare that South Africa has.

So where does it all go from here?

Thus far I have argued that we are (finally) seeing the dawn of a new cyber battle space and that in this new battle the odds massively favor the attacker. I've argued that information and information systems are simply too large, too complex and too inter-connected to defend, and that incidents like Stuxnet and Wikileaks will therefore, inevitably, become more commonplace. I've also suggested that this is probably just the tip of the iceberg.

I've argued that this new reality poses a real national-security challenge to small and emerging countries like South Africa who are 'connected' but can never really be sufficiently 'protected' to defend themselves against a well funded adversary. I surmised that this is true (to a greater or lesser extent) for all countries, no matter how large or powerful.

If this analysis is accurate then it is my opinion that countries have two options going forward. Now, I am no military or political scientist so my domain of expertise is being severely stretched here, but the two options I see are:

Cyber neutrality and information freedom

or

A cyber arms race and Mutually Assured Destruction

In the 1st option governments can accept that information and information systems cannot be defended against all threats and endeavor to shape local and international affairs in such a way that conflict is avoided, there are no secrets, and there is shared benefit in keeping their information systems alive and connected to the rest of the world.

I love this view of the future as it resonates deeply with the original hacker ethos in which I was 'raised', but I have to confess that I struggle to imagine it being real.

In the second model countries will endeavor to defend themselves by building deterrents - tools of mass cyber destruction aimed at their enemies with the threat of destructive digital force. As history has shown us during the Cold War it seems to me that this approach will ultimately reach a kind of digital stand-off where no single country can afford to unleash its weapons for fear of also destroying itself and the conflict will be reduced to an endless series of spy-vs-spy intrigues and counter-intrigues that will play off in the computers of every government, business, school and even home in the world.

There may be a third option, but if there is I fail to see it. One thing is clear: Unless governments, NGOs, thinkers like Tom Wingfield and other leaders act quickly to highlight and address these challenges then history will take its inevitable course and my colleagues and me will soon all be wearing uniforms and working for the military.

I suggest that you check out the BBC2 documentary series, "All Watched Over by Machines of Loving Grace" from Adam Curtis. It just finished airing last night.

Finally, I think there are third and fourth options: disconnection and censorship. Disconnection may be forced by Computer Network Attack, such as the case in Estonia. It may be a personal choice that many people will make, especially after they lose family and friends. It is a technological advantage of Iran and China (in addition to Libya, Syria, Tunisia, and other places that had their Internet shut off) -- and the US wishes to enable such a system as well. Censorship is another subject for another time, but it definitely directly relates to everything we're discussing.

I think that a cyberwarfare between 2 or more countries is (technically) possible, but not preferable for the countries involved.Like in the Russia vs Georgia conflict, it would only benefit an already full-blown conflict.

I think the real threat is small but deliberate sabotage and/or technology theft.

You can defend against a full-blown campaign with the idea of M.A.D, but it is difficult to retaliate in the event of small squirmishes or individual breaces of security.

The best way to 'defend' is to have a team that is capable to track down and take out an adversary either digitally or physically.

The digital world is as much a part of our real world as the tree standing in my garden.So the defence does not have to be digital. You can defend in a physical way. Most countries have already a physical defense in place.

Offensive security works (up to a point), but let's also start educating people how to defend themselves passively. You say it's probably too late... I say: it's never too late.

I agree with the assumption that compromise of any target is always possible, it's just a matter of time and effort. That does seem to suggest that efforts spent on defense is somewhat wasted. But if you make a further assumption you can turn this around. I would argue that with sufficient skill and effort any attacker can compromise a desired target, and remain completely anonymous. All of a sudden any nation making a claim: "We will respond in kind to any cyber attack!" is just writing checks they can'tcash. Worse yet, an offensive security plan can be exploited by others. As an Elbonian nationalist I want to attack Genosha, but their defenses are too good, so I attack South Africa's infrastructure and make it look like it came from Genosha. The put their resources into attack, so it's both easier to do the damage, leaving the fake evidence behind, and they'll have better success attacking Genosha's superiour defenses.

IMHO, all efforts should be put into defense, despite the fact that defense is impossible.

What is written here resonates with me. I also attended the ICCC3 and saw your presentation, but only chanced upon this entry today.

My opinion (like they say in German, "ohne Gewaehr:) is that the most important general cyberware/conflict trend in 2011 is the realization that networks (of all sorts) are a much larger force multiplier for creative destruction than previously appreciated.

Networks changed the name of the game: It is now possible to effect large scale societal, financial, and political changes in a blink of an eye. Comparable to the time period of nuclear strategy before second strike capabilities, we have once again entered a time where there is a first strike advantage. This is geo-politically dangerous because it is a geo-politically unstable equilibrium: He who races to fire the first prepared salvos in a cyberphysical war will win (if but a pyrrhic victory . The more advanced a society is (especially open societies), the more vulnerable it is to these types of first strikes.

I do think we need a clearly articulated MAD (Mutually Assured Destruction) doctrine for the cyberphysical age; with iron-clad triggers and decision points: Quantitative decision metrics as measured by degradation of critical infrastructure performance, as well as attribution policies.

@haroon You make a good point about asymmetry that didn't come through well in my posting but that I tried to rectify in my presentation. The point that I was trying to make is not that retaliation is an intelligent strategy, but that for smaller countries ones that can't compete 1-1 with the big boys, it might be considered a viable strategy. I can especially imagine this to be the case for 'rouge' nations and states with a predisposition to aggression.

I'm also not meaning to suggest that defense should be abandoned (I think I handled this better in my presentation also) but again that a I can envisage a small nation selecting to concentrate on deterrence rather than defense. My argument is that its precisely the asymmetrical nature of cyber conflict that make this a strategy worth considering … especially if you're naturally 'aggressive' as I mentioned before. You and I both know that it would be hugely costly and time-consuming for a country like South Africa to effectively protect *all* of its critical infrastructure (including those parts that are controlled by the private sector), whilst an effective 'strike-back' capability might quite reasonably be developed within just a few years.

I also wonder whether this approach couldn't be seen to overcome the 'attribution' problem also : If your intent is simply to send a message to your advisories by punishing attackers, then maybe you don't have to get attribution 100% right. You'll know who your advisories are without having to know exactly where an attack originated, so send a message by striking back at them!

Again… I'm not proposing this strategy, I'd just be surprised if others aren't considering it.

@Charly I'm sorry if I sounded defeatist … I'm not. Please see my comments @Haroon If we take your comment: "The best way to 'defend' is to have a team that is capable to track down and take out an adversary either digitally or physically", then my point is: "Exactly - I bet this conversation is happening in war rooms across the world as we speak".

@Thomas The argument about attribution certainly shoots a big hole in the retaliation strategy. However, I can still imagine that for certain nation states proper, technical attribution might not matter. Through it's normal intelligence resources any functional state should have a good idea of who it's enemies are. They don't need to know exactly who struck them strike back… they simply have to strike back at any of their enemies with some cause to send a message to the rest. We also oughtn't wear only atechnical hat when considering a retaliation strategy - a modern military will have countless other means though conventional intelligence of knowing or guessing who struck at them without requiring a detailed packet trace.

@DanielThank you very much … excellently put. Nicholas Talib's use of the terms 'Mediocristan' and 'Extremistan' (http://www.black-swans-explained.com/mediocristan-vs-extremistan/) come to mind here … we are certainly moving into an 'extreme' environment where the effects of an offensive action could grow at an exponential rate.

I hadn't thought of 'first strike' as a strategy, or its potential implications - thank you.